After seeing an increase of stolen information used to file fraudulent state tax returns, TurboTax announced that the processing of all state filing has been halted and the option to file state taxes online no longer exists.
The software company has said that there is no data breach within TurboTax databases, but stolen personal information from elsewhere has been used to file state tax returns, causing the state tax filing to halt state return processing. Federal taxes can still be filed, and state tax returns that have already been filed will be transmitted once the problem is solved.
“We understand the role we play in this important industry issue and continuously monitor our systems in search of suspicious activity,” Brad Smith, president and CEO of software company and TurboTax owner Intuit said in a statement. “We’ve identified specific patterns of behavior where fraud is more likely to occur. We’re working with the states to share that information and remedy the situation quickly. We will continue to engage them on an ongoing basis in an effort to stop fraud before it gets started.”
Smith reiterated that no TurboTax data has been compromised.
In response to the TurboTax announcement, the state of Minnesota has stopped accepting tax returns filed through the online software program.
TurboTax’s decision follows another data breach this week. Anthem, the nation’s second-largest health insurance company, joined the ranks of Target, Home Depot and a number of other major companies after experiencing a data breach.
As computer hacking attacks continue, and become more sophisticated, questions over how to put data breaches to rest become increasingly important.
Anthem’s CEO Joseph Swedish reported on Thursday that despite “state-of-the-art information security systems,” a database containing personal records of more than 80 million people, including social security numbers, medical IDs and income data, was accessed.
After notifying the FBI, “Anthem has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape,” Swedish said in a statement.
If “state-of-the-art information security systems” can’t keep cyber attackers out, what will?
Paul Saffo, a Silicon Valley technology forecaster at Stanford said there is no easy fix. Instead, the problem lies in the architecture of the computer security systems.
“The only solution is to re-architect with reliable hardware and reliable software,” Saffo said. To solve the problem without an overhaul of the system would be like “trying to pour a concrete foundation onto quicksand.”
Peter Neumann of SRI International, a technology and computing research nonprofit echoed Saffo’s statements that there is no quick fix, and instead an entire overhaul is needed, something currently being done — a project called Clean Slate by the Department of Defense’s Defense Advanced Research Projects Agency. The goal is to develop new computing systems around security to protect against cyber-attacks.
Others are taking a different approach to data breaches, including expecting a cyber-attack in the first place. Mark Bower, the Vice President of Product Management & Solutions Architecture at Voltage Security, said the key is to neutralize data so a cyber attack’s effect is minimal.
“Ultimately you have to assume that, as a business today, with the level of malware out there today, with the sophistication of hackers, you are going to get breached at some point,” Bower said. “So what you have to think about making that a non-event and neutralizing your data from the breach is the way to do that. And there are technologies out there that are very simple and straightforward that are not disruptive to everyday business dealings.”
In a similar manner, Kevin Duggan, CEO of security consulting firm Camouflage Software said masking data means that if a cyber attack is able to steal information, the data would be useless out of context.
“The most successful solution that many enterprises, including healthcare providers, are starting to deploy is new technologies that render data useless if stolen, such as data masking or anonymization which manipulates data so that it’s still useable by doctors and nurses, but unable to be tied back to the individual patient,” he said in an email.